Breaking Down GDPR and What It Could Mean for US Physicians
There’s a high chance that if you subscribe to 200 mailing lists, you’ve received what feels like 1,000 emails informing you about privacy policy changes. All of these emails are coming in the wake of the European privacy laws called the General Data Protection Regulations (GDPR). What do you need to know about these laws, even if you’re only treating patients in the United States?
Who Is Affected by GDPR?
Any business that is established in the European Union and any business that handles the personal information of “data subjects” in the European Union, regardless of where they live and their citizenship, is subject. If a doctor works or is based in the EU and has a website that collects any personal data, like a name, email address, phone number of IP address (even through Google Analytics), they are required to comply. Doctors in the UK must follow these new regulations, but US doctors are exempt…for now. There’s a good chance that over the course of the next few years, the United States will put similar regulations into place.
What Happens if Doctors Don’t Comply?
Anyone who doesn’t comply with these new laws can be subject to fines up to 20 million pounds or 4% of the worldwide turnover for the past 12 months depending on which is greater. These steep fines probably won’t be levied against small practices, but instead against any businesses that receive the most complaints. It’s a good idea to practice keeping patient data safe now, instead of running into nasty surprises in the future.
What Should You Do for GDPR?
If GDPR-type regulations go into place in the United States, here’s what you need to know!
- Personal data includes names, phone numbers, emails, questions, comments, IP addresses and digital data. Even if you do nothing with personal data but store it, you must still comply.
- You should audit the personal data that you’ve already collected and note where it is from and who it is shared with. Once you do that, you should document the legal basis for the processing of data and send an email to all existing list members to notify them of your privacy policy.
- When collecting personal data in the future, you must add opt-in wording to all of your forms. It should include the affirmation of “explicit, affirmative and granular consent.” Patients should have no doubt that they are granting their consent and not simply have an automatically-selected box. You should also make your privacy policy so that it is written in plain, easy-to-understand English.
- Update your cookie policy or add one.
- Make sure that all of your data processors are GDPR-compliant.
Protect Patient Information with Vetters Enterprises
Vetters Enterprises specializes in practice management, private practice business support and revenue cycle optimization. We can perform in-depth assessments of your practice or facility and identify potential issues. Let us keep your business as healthy as you keep your patients! Give us a call at (443) 352-0088.